DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)
Вставка
- Опубліковано 11 лип 2024
- I'll explain what DNS encryption is about. How does it technically work, why should we all care about, and which role does it play in the IT industry?
DNS over TLS (RFC): tools.ietf.org/html/rfc7858
DNS over HTTPS (RFC): tools.ietf.org/html/rfc8484
Follow me:
TWITTER: / christianlempa
INSTAGRAM: / christianlempa
DISCORD: / discord
GITHUB: github.com/christianlempa
PATREON: / christianlempa
MY EQUIPMENT: kit.co/christianlempa
Timestamps:
00:00 - Introduction
01:14 What is DNS encryption and why do we need it?
02:48 How do DNS requests work?
04:21 DNS over TLS
07:06 DNS over HTTPS (DoH)
09:34 Concerns with DoH implementation
________________
All links with "*" are affiliate links.
Very well explained. Thank you. 🙏🏽
This channel is very helpful for DevOps.
Yes pls more videos on this topic ✌
Perfect Content and clear explanation! Kudos to you!
Please make more of this kinds of technical/conceptual videos related to security topics which are a great help for other IT/Network enthusiastic individuals such as myself!
Thank you! Of course, I'll do :)
consulta
@@christianlempa consulta cual de los dos es es mejor usar cual recomiendas usar solo dime uno dot o doh cual uso ya que uno de los dos es mejor y lleva la ventaja cual me recomiendas usar para ponerlo en todos mis dispositivos
responder lo antes posible porfavor.
is there a source to get the basic codes that i use as basis for my thesis?@@christianlempa
so helpful, much thanks
Thanks, that was a good discussion.
thanks! :)
Very interesting topic! New to your channel!
Nice, thank you and welcome 🙂
I learnt something new thanks to you.
Glad to hear it!
really helphufl thanks ! :)
Glad it helped!
1:51 You mean they can see just SNI right as protocol will be SSL
Thanks for the knowledge. So these techniques still need to be supported by the hosters/sites to make it fully encrypted?
I am just wondering if its really better to send the dns query via cloud based providers instead of „trusting/rely“ on your ISP. Probably depends on the country and their laws
Thank you for your video. I have a question what do you think would be faster DoH or DoT?
So so you recommend IPS DNS or CloudFlare DNS over HTPPS? Great video btw
Awesome content, had been banging my head on such concepts. Request you to explain how to capture the data via Wireshark.
I did a video about "7 amazing network engineer tools" where wireshark was one of them, that could be interesting for you 😉. However, if more people are requesting I consider making a short series about it.
@@christianlempa Great man, that would do for me i guess. Thanks for the heads up!
I want to see the configuration you did for stubby.yml file. Could you please share?
Very helpful and makes learning easy. I watched it twice to digest all details well.
Centralized or De-Centralized , that's the question too :) , thanks for the nice video
Interesting question ☺️ That's maybe a good topic for an upcoming video. Thank you!
Maybe video `bout DoQ?
Thank you
You're welcome
From India.. thanks 👍
How these settings are turned on..?
(Using DNS over WARP)
Greeting, hope help me.
1- i set my machine network(i donot do any change for router only change my machine) to use "1.0.0.2 & 1.1.1.2" as dns server, they belong to cloudfloar.
2- is that mean all my machine dns quire encrypted (dns over https)?
3- when i go to cloudfloar test page the results was i do not use dns over https. Also when activate the dns over https in Firefox the results was "we do not know if you use dns over https or not".
4- there's any steps i should do beside set machine network to use clodfloar dns server, to be sure i use dns over https?
Thanks in advance
Nice
Can zone transfers also be done the same?
Do you have a tutorial on how to set it up on named?
How does the performance impact look here? DNS under 512 bytes is a UDP query, super fast. Most machines cache the results locally, but resolvers usually don't cache. They may have to take more burden of responding to users queries by encrypting, decrypting, additional payload etc.,
Also I'm not sure if bind daemon supports these protocols as it's widely used.
very good. demoing with wireshark was very useful. thank you and please keep making videos like this.
can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue
How can I to config on bind9 fowarders?
How do attackers use the DOH for malicious purposes? Will they use any tool to tunnel the DOH and then applies data exfiltration or they will exploit the server such as Cloudflare, Mozilla and then applies C2 commands.
I have no real data on this unfortunately, but I assume that doh queries could be easily used to bypass local security gateways.
Question: Considering android 9 pie now incorporates DoT configuration, browsers like Bromite incorporating DoH and DNS providers like Quad9 providing free encrypted options for both... is it possible/beneficial to use both simultaneously...? On android mobile or tablet devices
And thank you for the content! =)
Thanks 😊. One of the problems when browsers or applications implement their own DNS resolving technique is that it's independent from the OS DNS resolving. That means your browser will use DoH queries to whatever it uses as a resolver, and other apps will use the DoT queries configured in android. So yes, it can work both and it doesn't interfere each other, but it could be that the browser will use different resolvers like it's configured in the OS. DNS resolvers like Quad9, cloud flare and Google usually support both methods, so that should work fine in this case 😉
I love that 30 hrs ago, that question i asked would've seemed like a totally foreign language to me, and already, so many puzzle pieces regarding internet security, privacy, anonymity and how networks function are all coming together and making sense.
That's all thanks to youtubers like you. Thanks for getting back to me and thank you for helping me to understand, much appreciated
@Reepix thank you so much for that kind feedback, I'm glad it helped you and keeps me motivated to do more content! Cheers 😁
if you are using a VPN does it matter ?
Wouldn’t encrypting your queries with DOH or DOT also protect you from the dns provider itself?
I understand that Cloudfare, Nextguard, etc claim not to keep logs but can they initially see all of our traffic?
The DNS queries are encrypted from your PC to the DNS resolver, so they can see everything
@@christianlempa Sorry but how could they see it if it’s encrypted? 🤔
@@contenteater At some point, they need to be unencrypted: someone must be able to answer the DNS query, or otherwise you won't get a response at all and URLs stop working. This unencryption happens at your DNS resolver. (A late response, I hope it's still useful)
@10:28 what ist this "unencrypted SNI" your are apparently still sending out using encrypted DNS?
The SNI (Server Name Indication) is always transmitted unencrypted in any HTTPS request
5:17 How can my ISP resolve my DNS-request if he can't inspect the DNS-data (since it is TLS-encrypted)?
The ISP can't inspect the DNS requests when they're encrypted, only when you're not using DNS over TLS. Hope that helps :)
@@christianlempa I think Christian’s question was “how would my internet provider be able to process my searches if they are unable to view my searches” 🤔
@@contenteater somewhere up stream in DNS servers the request would go unencrypted to resolve
Würde ich das Problem lösen, wenn ich einen VPN in meinem Wlan-Netzwerk etabliere und wenn nicht, warum nicht? Besten Dank! - Ich beantworte mal selbst, würde mich aber über Feedback freuen: das Problem entsteht "ausserhalb" meines Netzwerkes und die IP-Adresse wird über die Leitung "einsehbar" so kein TLS über DNS konfiguriert ist. Der VPN kann nur verhindern, dass jemand mein Wlan entert, davon wird das senden der IP ausserhalb des Netzwerkes aber nicht berührt, korrekt?
Hey, sorry ich bin etwas verwirrt :D Was genau möchtest du erreichen, bzw. welches Problem lösen?
But doesn't this only hide the URL? Once the URL is resolved to an IP address, isn't that IP address then visible to your ISP, therefore they can still work out exactly what website you are accessing?
You could use the IPs to roughly identify targets, but many websites are using CDNs today which IPs are hosting a ton of websites.
can't connect to internet with my mobile data but with wifi....my browser says dns is hijacked or polluted please please help me to fix this issue
Very good video but the background music is annoying
Wouldn't the purpose be defeated if a company's DNS doesn't support DoH or DoT?
That's right. A lot companies actually disable DoH and DoT because it bypasses the companies DNS and firewalls which is a big problem. It is a challenge for companies, but I think we need to come up with a reliable solution that allows companies, firewall vendors to make use of DoH or DoT, aligned with the companies preferences and security needs.
But that's something that is not established well at this stage and it's interesting to see what solution will become the new standard at some day. In networking those changes take usually a long time.
Maybe companies need to embrace the fact that their no longer able to filter user traffic. I have a VPN enabled 24/7 & I know many other people do as well.
Still confused if I should use DoH or DoT. I wanna be secure but also want to hide from my ISP.
If you want to hide from your isp there is no way around vpn. DNS encryption alone is not going to help u
I like your accent as a non englsih native speaker
Thanks 😆
So, which one is better to use? DoT or DoH?????
Technically both are sufficient and generally you can use whatever works for you. But I think that DoH is a bit more widespread than DoT in terms of implementation by companies. However, this is still work in progress, there are also other alternatives like DoQ and we'll see what will become the new standard.
@@christianlempa thank you a lot
Mr.13 why is DoT better than DoH I need the most secure form of DNS and I do not want my ISP spying on me. I don’t mind going the extra step for security.
You are addressing HALF of the problem : the "question" (request). What about the "reply" ? What is the packet configuration of the reply ? Does it contain your IP address (in clear) and the IP address of the encrypted url (in clear) ? If so, then... you aren't "protected" since your ISP can reverse lookup the DNS contained in the "reply" packet ! No ?
How we can apply a full solution?
@@H-qx8oz That IS the question !
just post all ip addresses
Doesn't my provider still know which domains I visit? It the provider has a DNS, the provider knows which IPs belong to which domain. So even if my provider does not see the DNS request, once I load a single package from the IP he will still know that I visited the website with that IP. If the DNS knows which IP belongs to which domain, the opposite should als be possible. So I do now really see how my privacy is protected unless I use a VPN.
PS: Be careful with Google's DNS servers! Google does not really provide that service for free. They will store all the domains you visited forever to send you even more targeted ads.
Often the IP address does not directly relate to the actual web site you're browsing. Most companies and websites today use CDNs like Akamai or Cloudflare, so you can sometimes compare the address with the name, but not always.
Also, you can still see the domain in the HTTP's requests, as it's included in the SNI (not the full path though). But that always works, no matter if you encrypt the DNS requests. So yeah, you're right, a VPN is the only way to really "hide" the traffic from your ISP.
Annoying music.